intercept a dns port for one computer

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Sat Jan 20, 2018 2:43    Post subject: intercept a dns port for one computer Reply with quote
Good afternoon

I have setup opendns on my router using the following instructions https://www.dd-wrt.com/wiki/index.php/OpenDNS and I want to allow one computer to dictate its own dns's.

My son's computers are hooked up to Opendns and I am using the following rules to stop him changing his dns settings
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

I have looked at these rules
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

and I am still unsure how to set up a rule so that my computer can use its own dns settings.
Sponsor
jasonkruys
DD-WRT User


Joined: 13 Dec 2013
Posts: 90

PostPosted: Sat Jan 20, 2018 12:12    Post subject: Reply with quote
Could I use the same command to make a specific device on a static IP use a specific DNS? I have an IPTV device that I want to point specifically at my ISP DNS, whereas everything else I am forcing to use Open VPN.
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Sun Jan 21, 2018 12:52    Post subject: Reply with quote
Thank jxm for your reply

I have a couple of questions around your answer
If my son was to set a static ip less than 192.168.1.128 an put in say googles dns does that mean he would in theory be able to by pass the OpenDNS settings on the router, if the second set of rules are in place.
If so can I do the following
Give the one computer a ip of 192.168.1.2 and change the rule to 192.168.1.3/25 ?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3708
Location: UK, London, just across the river..

PostPosted: Mon Jan 22, 2018 8:07    Post subject: Reply with quote
to force router's DNS settings use only, go to Basic Settings>Network Address Server Settings (DHCP)>turn on Forced DNS Redirection save apply, restart...

in that case your son will not be able to use any other DNS
even if try to bypass it on PC level Wink

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 44085 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 43028 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 44085 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 44048 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 44085 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 44085 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Thu Jan 25, 2018 10:00    Post subject: Reply with quote
Thanks jxm

Alozaros

I still need one device to have a different set of DNS addresses.

I am just trying to work out how to force every device connected to use OpenDNS DNS's and allow one device to use a different DNS that I set on it
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3708
Location: UK, London, just across the river..

PostPosted: Thu Jan 25, 2018 14:10    Post subject: Reply with quote
https://www.dd-wrt.com/wiki/index.php/Parental_control
kind of....

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 44085 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 43028 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 44085 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 44048 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 44085 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 44085 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5703
Location: Akershus, Norway

PostPosted: Fri Jan 26, 2018 12:53    Post subject: Reply with quote
Use "-s !<ip address>" i.e -s !192.168.1.150 in the iptables rule, where ! mean not.
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Sat Jan 27, 2018 2:15    Post subject: Reply with quote
Alozaros, Thanks for the info so far

I set up every thing as per https://www.dd-wrt.com/wiki/index.php/Parental_control

but I have run into one small problem, I hooked up a windows based PC let it get its IP via DHCP then turned on a VPN app and it went straight past the OpenDNS settings
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5703
Location: Akershus, Norway

PostPosted: Sat Jan 27, 2018 14:57    Post subject: Reply with quote
The router cannot intercept dns traffic inside the vpn tunnel.
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 757

PostPosted: Sat Jan 27, 2018 15:21    Post subject: Reply with quote
I personally have never tried them but on Security->VPN Passthrough, you could disable these. I am sure that one could come up with a way around them but it will limit some.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5265
Location: Texas

PostPosted: Sat Jan 27, 2018 16:03    Post subject: Reply with quote
cdsonic wrote:
My son's computers are hooked up to Opendns and I am using the following rules to stop him changing his dns settings

I wouldn't get too invested in stopping him if he is the determined type ... just sayin
If the boy is determined to go where he wants he will just use DNScrypt on his computer or phone or use a VPN provider
or setup his own ovpn server on a buddies router ....
Twisted Evil
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 757

PostPosted: Sat Jan 27, 2018 22:03    Post subject: Reply with quote
mrjcd wrote:
cdsonic wrote:
My son's computers are hooked up to Opendns and I am using the following rules to stop him changing his dns settings

I wouldn't get too invested in stopping him if he is the determined type ... just sayin
If the boy is determined to go where he wants he will just use DNScrypt on his computer or phone or use a VPN provider
or setup his own ovpn server on a buddies router ....
Twisted Evil


After thinking about it and coming back to post but mrjcd beat me to it... he has physical/admin access to the computer and so many things are possible. Looking into locking down the devices is the better option.
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Sun Jan 28, 2018 0:11    Post subject: Reply with quote
Thanks all for your input.

My son likes YouTube so he will probably get around it eventually, but at least there is some protection in place in the short term.

I have one other issue but I will start a new topic for it.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum